The Intersection of Accessibility and Cybersecurity - Why It Matters

As cybersecurity professionals, we often prioritize building systems that are secure, but are they accessible to everyone who needs them? Accessibility in cybersecurity is frequently overlooked, but it is essential for ensuring that everyone, regardless of physical or neurological differences, can work securely and safely.

Imagine one of your employees or customers who uses your system every day (let's call her Anna). Anna lives with a neurological condition that impairs her vision, making it difficult for her to interact with common security measures like facial recognition or certain two-factor authentication (2FA) processes. Due to these accessibility challenges, Anna often struggles to complete tasks that were once simple, such as logging in or verifying her identity.

These barriers don’t just make Anna’s day harder, they may also force her to find workarounds that compromise the security you’ve worked hard to put in place. This is not a unique problem. Inaccessible security measures are affecting many users and can ultimately lead to increased vulnerabilities across your organization.

This scenario was outlined in an NCSC article recognising accessibility as a cyber security priority.

Addressing the Challenge of Inaccessible Security

There's a common misconception that security and accessibility are at odds and need to be "balanced". On the contrary, research shows that cybersecurity systems must be designed with accessibility as a core component, alongside security and usability. For example, if a security timeout is too short for Anna to complete her tasks due to her disability, she may resort to insecure practices just to get her job done. This is a risk that organizations cannot afford to ignore.

When security measures are designed to accommodate diverse needs, they become more resilient and effective for everyone. Accessibility isn’t just a matter of compliance, it’s about reducing risk, improving usability, and ensuring that systems work in the real world.

Accessibility in Web Applications and Its Impact on Security

Accessibility in web applications plays a critical role in cybersecurity, especially when it comes to protecting user accounts and sensitive information. When security features like authentication are not designed with accessibility in mind, users with disabilities may be forced to rely on others to assist them, compromising the confidentiality and security of their accounts. For example, inaccessible multi-factor authentication (MFA) processes could force a user to share their login credentials or one-time codes with someone else. This could be especially dangerous for vulnerable users.

Inaccessible web forms can also endanger the privacy of users. Consider a scenario where a visually impaired person is required to input sensitive data, such as credit card information or personally identifiable information (PII) into a poorly designed, inaccessible form. Without clear labels, error messages, or accessible elements like screen reader compatibility, the user may unknowingly expose their data or fail to complete the transaction securely. This could lead to the disclosure of personal information, increasing the risk of identity theft or fraud.

The consequences of these accessibility oversights can be devastating, especially when it involves critical services like online banking, medical records, or government portals. By failing to design systems that are accessible, organizations not only put individuals at risk but also open themselves up to security vulnerabilities that could have far-reaching effects.

Why Cybersecurity Needs Accessibility

1. Reduce Security Risks: Ensuring that security tools are accessible reduces the risk of human error - a common factor in security breaches. Systems that are easier to use for everyone, including those with disabilities, help prevent security compromises.
2. Improve Operational Efficiency: Accessible systems enable all users to work more efficiently. Intuitive, inclusive technology allows users to complete tasks securely without unnecessary friction, boosting overall productivity and security.
3. Ethical and Legal Responsibility: Governments and industries are moving online at an increasing pace, making it critical to ensure security systems are accessible to all users. By prioritizing accessibility, companies not only meet legal requirements but also demonstrate a commitment to inclusivity.
4. Attract and Retain Diverse Talent: Accessibility fosters a more inclusive work environment, which can attract and retain a diverse workforce. This cannot be achieved without accessibility.

How Cybersecurity Professionals Can Improve Accessibility:

1. Engage with Users: Understand diverse accessibility needs through user feedback, testing, and creating personas for those with disabilities.
2. Offer Alternative Authentication: Provide a range of secure login methods (e.g., email, SMS, tokens) to accommodate different users' abilities.
3. Make Security Training Accessible: Provide security awareness training in multiple formats, including transcripts, captions for videos, and content that is compatible with screen readers. Write policies, training materials, and security alerts in clear, simple language to be accessible to a broader audience, including those with cognitive disabilities.
4. Ensure Compatibility: Make sure security tools like password managers and encryption software work seamlessly with assistive technology.
5. Train Cybersecurity Teams: Educate staff on the importance of accessibility and how to incorporate it into security designs.
6. Audit Regularly: Conduct frequent accessibility audits of security features and adapt based on user feedback.

Accessibility in cybersecurity is not an add-on; it is essential for creating a secure environment that works for everyone. By designing systems that consider all users, you not only protect more people but also strengthen the security and resilience of your organization. Ask yourself: How accessible is your cybersecurity today, and what can you do to ensure that your security measures don’t unintentionally exclude anyone?

When thinking about accessibility, remember these words from Stephanie Cadieux: "Disability is not the problem. Barriers are the problem".

Sources:

• National Cyber Security Centre: “Accessibility as a Cybersecurity Priority.”
• Renaud, K. Accessible and Inclusive Cyber Security: a Nuanced and Complex Challenge.